Analysis
-
max time kernel
146s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 05:07 UTC
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
06d2ff9a91b1eff161615886259a513d.exe
Resource
win7-20231215-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
06d2ff9a91b1eff161615886259a513d.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
06d2ff9a91b1eff161615886259a513d.exe
-
Size
994KB
-
MD5
06d2ff9a91b1eff161615886259a513d
-
SHA1
99725449e7540632e8ccaa9b319c7248bb38b2a1
-
SHA256
67d21e6f78c0c86ff08395258f5b9f078b00aa04ee394eb26d5bce67f7ba0809
-
SHA512
5f6c9107e499c15d44c4b9218c8cffdee55ec0e11b0932f08ceb68bcc94f67f073155646f6ad5135ed2c6917f07ada03b772a9aacef75a8fe1b9e9596eb76c54
-
SSDEEP
12288:raWzgMg7v3qnCiMErQohh0F4CCJ8lnyC8nTfGDMHRH0IkEEJBPo7IAyUEXQZQ:eaHMv6CorjqnyC8T+DMxKEEJ+7IAlEB
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, killer.exe" 06d2ff9a91b1eff161615886259a513d.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts 06d2ff9a91b1eff161615886259a513d.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .exe 06d2ff9a91b1eff161615886259a513d.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ .exe 06d2ff9a91b1eff161615886259a513d.exe -
resource yara_rule behavioral1/files/0x000e0000000122cc-13.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\okiloveme.exe" 06d2ff9a91b1eff161615886259a513d.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\i: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\j: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\m: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\n: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\o: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\y: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\e: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\h: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\z: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\p: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\v: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\x: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\a: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\b: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\t: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\w: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\k: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\q: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\r: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\s: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\u: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\g: 06d2ff9a91b1eff161615886259a513d.exe File opened (read-only) \??\l: 06d2ff9a91b1eff161615886259a513d.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1700-0-0x0000000000400000-0x00000000004C7000-memory.dmp autoit_exe behavioral1/files/0x0007000000016231-26.dat autoit_exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Windows\autorun.inf 06d2ff9a91b1eff161615886259a513d.exe File created \??\c:\autorun.inf 06d2ff9a91b1eff161615886259a513d.exe File opened for modification C:\\autorun.inf 06d2ff9a91b1eff161615886259a513d.exe File created \??\f:\autorun.inf 06d2ff9a91b1eff161615886259a513d.exe File opened for modification F:\\autorun.inf 06d2ff9a91b1eff161615886259a513d.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\autorun.inf 06d2ff9a91b1eff161615886259a513d.exe File created C:\Windows\okiloveme.exe 06d2ff9a91b1eff161615886259a513d.exe File created C:\Windows\killer.exe 06d2ff9a91b1eff161615886259a513d.exe File created C:\Windows\YahooMessenger.exe 06d2ff9a91b1eff161615886259a513d.exe File opened for modification C:\Windows\killer.exe 06d2ff9a91b1eff161615886259a513d.exe File opened for modification C:\Windows\YahooMessenger.exe 06d2ff9a91b1eff161615886259a513d.exe File opened for modification C:\Windows\okiloveme.exe 06d2ff9a91b1eff161615886259a513d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs 06d2ff9a91b1eff161615886259a513d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "exefile" 06d2ff9a91b1eff161615886259a513d.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.reg 06d2ff9a91b1eff161615886259a513d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "exefile" 06d2ff9a91b1eff161615886259a513d.exe -
Suspicious behavior: EnumeratesProcesses 52 IoCs
pid Process 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe 1700 06d2ff9a91b1eff161615886259a513d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\06d2ff9a91b1eff161615886259a513d.exe"C:\Users\Admin\AppData\Local\Temp\06d2ff9a91b1eff161615886259a513d.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1700
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272KB
MD56c363adb2d5827b24ac062ff82edf450
SHA1166db4227c62e1650d1bbdb9257bc149458f594a
SHA256fecb25d604983f0d78066328a59c0ef81e99f7f20a16b1c43378a10d4c625f50
SHA51225da9c793447418e200aef2eee8b1b042f372f807850b2f8165224033762716e514beaad888c0c68ca7ab69b09b2e9dc0f0dd32dd78fe6008f586e4b895cfda2
-
Filesize
994KB
MD506d2ff9a91b1eff161615886259a513d
SHA199725449e7540632e8ccaa9b319c7248bb38b2a1
SHA25667d21e6f78c0c86ff08395258f5b9f078b00aa04ee394eb26d5bce67f7ba0809
SHA5125f6c9107e499c15d44c4b9218c8cffdee55ec0e11b0932f08ceb68bcc94f67f073155646f6ad5135ed2c6917f07ada03b772a9aacef75a8fe1b9e9596eb76c54
-
Filesize
164B
MD5d2c1073a6dc43f12a42cf9fdf8414066
SHA123021985503261efb35ab99669ff0236c3183f30
SHA2569355f534eb683599a58416d1a4dd7de423dc871b8629600be22cd0ef42bf8903
SHA512ab27ff76c0588626458eee580485bd64ae6f528964a9dcf9bf322b6a80672d21d6671cd17e634c56a3edc60dbc5265e48975e5a8092d450a5a74886a78c878aa